Chainbreaker
Jump to navigation
Jump to search
Description
The chainbreaker can extract user credential in a Keychain file with Master Key or user password in forensically sound manner. Master Key candidates can be extracted from volafox or volatility keychaindump module.
Installation
$ git clone https://github.com/n0fate/chainbreaker.git
Usage
Syntax
$ python chainbreaker.py [-h] -f FILE (-k KEY [KEY ...] | -u UNLOCKFILE | -p PASSWORD)
Options
- -h, --help
- show this help message and exit
- -f FILE, --file FILE
- Keychain file(*.keychain)
- -k KEY [KEY ...], --key KEY [KEY ...]
- Keychain Masterkey
- -u UNLOCKFILE, --unlockfile UNLOCKFILE
- System.keychain unlock file (/var/db/SystemKey)
- -p PASSWORD, --password PASSWORD
- Keychain Password
Example
$ python chainbreaker/chainbreaker.py -f login.keychain-db -p "****ns1ccl4v13"
[+] Generic Password Record
[-] Create DateTime: 2019-04-15 11:48:28
[-] Last Modified DateTime: 2019-04-15 11:48:28
[-] Description :
[-] Creator :
[-] Type :
[-] PrintName : ids: identity-rsa-public-key
[-] Alias :
[-] Account : identity-rsa-public-key
[-] Service : ids
�0�] Pas*�H��: 0�"0
��`�U~���筝����MS���F�4���L�
�
�B▒��z�f�A����B
o���9���c`▒����!����M�M���s�T��)e@�E�/�
J2�:���<��E���U��nӌ ��J=��V㺅R��7�G+�-;2�e��LD/ܐ���o�����U��'[��(T�Fʋ�� ��
�|"c����L�
�� ��:=g�Zh�B`�����y��9Y���r~����9�E2A2©7����/C���
[+] Generic Password Record
[-] Create DateTime: 2019-04-15 11:48:28
[-] Last Modified DateTime: 2019-04-15 11:48:28
[-] Description :
[-] Creator :
[-] Type :
[-] PrintName : ids: identity-rsa-private-key
[-] Alias :
[-] Account : identity-rsa-private-key
[-] Service : ids
[-] Password: 0����`�U~���筝����MS���F�4���L�
�
�B▒��z�f�A����B
o���9���c`▒����!����M�M���s�T��)e@�E�/�
J2�:���<��E���U��nӌ ��J=��V㺅R��7�G+�-;2�e��LD/ܐ���o�����U��'[��(T�Fʋ�� ��
�|"c����L�
�� ��:=g�Zh�B`�����y��9Y���r~����9�E2A2©7����/C�����#%`�����j���J"�-F���
���U���W:i���O�\h�W���m Gz��o����5#h�d�g�▒�be(��
��#�2�`�Ҍ�ޣt
d��rnd�'�$"7�#���Ch�
�z�
�ޟb��xb@ 5T�&����=J]�������嚼���W�����p��"�k䳠h�����x�Tʀ�kK��;���ѩ��S��P�g��3����i���?7�
�y���P���9����7e�J|lJ$�w�Y��( �`�P��e��p�M�c�%2���/��LnѮ������RA*�/��'�K<�x
`��T�g�<��b����!T�f"�\����k�q(��=eg��BiAӄ�[.�Z7=�S���6��2#L���p▒�V�A�#D�v=�����B��'��L��4q�'�Q$������{�_ql���6+G��n���X������@���B)9�L�t���0����b�`ݨTjE�▒"`�n�Ί��{ҷ=� 5�e�w�'��z
?�Lb����J���F�s��K���e�7�p�ڪ���Z�
�qyPNp�6��>M�dx���?��ص�x��}���FW
2^-��s����\�k ��QH�#���a�*�B�1▒�e����cޤ�)�h���)/<s���Q▒Yb�a�rH�-�Xg�C��g��>�� ���9��(c �L�{�9{=���L�Lb�� 2����z;ڼLRh%��R��P�
[+] Generic Password Record
[-] Create DateTime: 2019-04-15 11:48:28
[-] Last Modified DateTime: 2019-04-15 11:48:28
[-] Description :
[-] Creator :
[-] Type :
[-] PrintName : ids: identity-rsa-key-pair-signature-v1
[-] Alias :
[-] Account : identity-rsa-key-pair-signature-v1
[-] Service : ids
[-] Password: 3764C1DA-3C0F-4DE0-BC1A-CA56C3FF9D78
[+] Generic Password Record
[-] Create DateTime: 2019-04-15 11:48:29
[-] Last Modified DateTime: 2019-04-15 11:48:29
[-] Description :
[-] Creator :
[-] Type :
[-] PrintName : ids: unregistered-message-protection-key
[-] Alias :
[-] Account : unregistered-message-protection-key
[-] Service : ids
[-] Password: �ssui ���Ԅ��!"dbnm&~/Library/Keychains/login.keychain-dbitem{▒�'XhO�@g�Y����:�!'{87191ca2-0fc9-11d4-849a-000502b52122A��q�A��7�K��߉؟k<���m����HAÓ�3�h
>gr?�κ6�D�X;
[N��h,�T�V�ssui ���Ԅ��!"dbnm&~/Library/Keychains/login.keychain-dbitem{��
��������h�J~�[�'{87191ca2-0fc9-11d4-849a-000502b52122�0�������x:����2�nsJ?�#XM�M[�H�
�^ ۶�A�\▒~��9��f����k��D���yBp�KǏјx�:F:K ����rBE�)]cM��G��'u�5�h�A{���e�N�G������j]�l�i@CE97�3��4▒'S�5��B
'�Yn�2,"�� +
[+] Generic Password Record
[-] Create DateTime: 2019-04-15 11:48:29
[-] Last Modified DateTime: 2019-04-15 11:48:29
[-] Description :
[-] Creator :
[-] Type :
[-] PrintName : com.apple.ids: localdevice88c6e0e4-0371-409e-a73c-f793db45ab52-AuthToken
[-] Alias :
[-] Account : localdevice88c6e0e4-0371-409e-a73c-f793db45ab52-AuthToken
[-] Service : com.apple.ids
[-] Password: 8B5D1052-0A7A-4E2B-A36F-FA909526A7F2
[+] Generic Password Record
[-] Create DateTime: 2019-04-15 11:48:30
[-] Last Modified DateTime: 2019-04-15 11:48:30
[-] Description :
[-] Creator :
[-] Type :
[-] PrintName : Apple Persistent State Encryption
[-] Alias :
[-] Account : Window Bitmap Encryption
[-] Service : Apple Persistent State Encryption
[-] Password: 1541E930A7182180A31E3CCF3FFB1772
[+] Generic Password Record
[-] Create DateTime: 2019-04-15 11:56:43
[-] Last Modified DateTime: 2019-04-15 11:56:43
[-] Description :
[-] Creator :
[-] Type :
[-] PrintName : Safari Forms AutoFill Encryption Key
[-] Alias :
[-] Account :
[-] Service : Safari Forms AutoFill Encryption Key
[-] Password: DMZllTiRUxGIPEzhVE87Nw==
[+] Generic Password Record
[-] Create DateTime: 2019-04-15 11:48:59
[-] Last Modified DateTime: 2019-04-15 13:22:35
[-] Description :
[-] Creator :
[-] Type :
[-] PrintName : com.apple.assistant
[-] Alias :
[-] Account : 48096B92-6345-4A49-B298-DE4BA1D93C1E - Validation Data
[-] Service : com.apple.assistant
[-] Password: 1
���!�L��\.r��ŀ!���0�P`��,�C�<�k�7�
4J-�y������ΰ�_T[���l)u���y;#�<��]��[���J�����@�����eD�}����<��a�Z�x��V��愋�����d�o��PVjmR �!tي&�L�x%�Y�mv���H▒�l��&��U���g;{������@�h����,�m�{?��$�j�
�� ��BA�nj��7�Z���t����gZ)L
�▒rqݏ�_�����q`�T�$e�3Z��
���Dɬ����ݬ�S��@�� PN�o�N����E�ΔL��Ľi�d^��CQ=#�c��5�5k�Γ�ڎ(|� �g���#�t�Iʠ�fW▒ˀ#d�]���,��L�rK8�.��t%C�8
�'sv�"�s�.p���Eč��8�RR�����jM�[ �V�|��;���/��ޏ�-��s�IS������ϵY�����d���M�1���l��B%B�▒h�C����N�>�h��▒�9��2��q����]'UM�&h+H�:�}
��-i~����V�y1�3%�>�98ggX'$��c{���cy����Z F7\I[B�v▒p�-�
�9f���u^�Y"k|E�����
m��zU���3����L�d▒�k��L�'"<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Assistant Identifier</key>
<string>D45843A4-8029-4B53-94CB-4E40CA125F5A</string>
</dict>
</plist>
O�����2�E�����E�����6'a�3.�������
Y�\�����{Q�)�vzh �6�{��WCAg��"n���
[+] Generic Password Record
[-] Create DateTime: 2019-04-15 11:48:59
[-] Last Modified DateTime: 2019-04-15 13:22:35
[-] Description :
[-] Creator :
[-] Type :
[-] PrintName : com.apple.assistant
[-] Alias :
[-] Account : 48096B92-6345-4A49-B298-DE4BA1D93C1E - Assistant Identifier
[-] Service : com.apple.assistant
[-] Password: D45843A4-8029-4B53-94CB-4E40CA125F5A
[+] Generic Password Record
[-] Create DateTime: 2019-04-15 11:49:07
[-] Last Modified DateTime: 2019-04-15 11:49:07
[-] Description :
[-] Creator : aapl
[-] Type :
[-] PrintName : MetadataKeychain
[-] Alias :
[-] Account :
[-] Service : MetadataKeychain
[-] Password: uNB{@tUo\ulJ7qenV0La
[+] Generic Password Record
[-] Create DateTime: 2019-04-15 11:49:51
[-] Last Modified DateTime: 2019-04-15 11:49:51
[-] Description :
[-] Creator :
[-] Type :
[-] PrintName : Safari Session State Key
[-] Alias :
[-] Account :
[-] Service : Safari Session State Key
[-] Password: gHT0xlYPWu79VtEa8Fy9qQ==
[+] Generic Password Record
[-] Create DateTime: 2019-04-15 11:49:00
[-] Last Modified DateTime: 2019-04-15 13:22:35
[-] Description :
[-] Creator :
[-] Type :
[-] PrintName : com.apple.assistant
[-] Alias :
[-] Account : 48096B92-6345-4A49-B298-DE4BA1D93C1E - Host Creation UUID
[-] Service : com.apple.assistant
[-] Password: ����q@��<���E�R
[+] Generic Password Record
[-] Create DateTime: 2019-04-15 11:49:00
[-] Last Modified DateTime: 2019-04-15 13:22:35
[-] Description :
[-] Creator :
[-] Type :
[-] PrintName : com.apple.assistant
[-] Alias :
[-] Account : 48096B92-6345-4A49-B298-DE4BA1D93C1E - Speech Identifier
[-] Service : com.apple.assistant
[-] Password: FAA8065B-2AC6-48AB-995E-2400BF19B1C1
[+] Generic Password Record
[-] Create DateTime: 2019-04-15 12:03:13
[-] Last Modified DateTime: 2019-04-15 12:03:13
[-] Description :
[-] Creator :
[-] Type :
[-] PrintName : com.apple.account.Google.oath-refresh-token
[-] Alias :
[-] Account : ******[email protected]
[-] Service : com.apple.account.Google.oath-refresh-token
[-] Password: 1/miHEgeE24-P7Cy4QhPMr0FAwKY8OtBy4ZqwEXPx5lls
[+] Generic Password Record
[-] Create DateTime: 2019-04-15 12:03:13
[-] Last Modified DateTime: 2019-04-15 12:03:13
[-] Description :
[-] Creator :
[-] Type :
[-] PrintName : com.apple.account.Google.oauth-expiry-date
[-] Alias :
[-] Account : ******[email protected]
[-] Service : com.apple.account.Google.oauth-expiry-date
[-] Password: 577081945.493610
[+] Generic Password Record
[-] Create DateTime: 2019-04-15 12:03:13
[-] Last Modified DateTime: 2019-04-15 12:03:13
[-] Description :
[-] Creator :
[-] Type :
[-] PrintName : com.apple.account.Google.oauth-token
[-] Alias :
[-] Account : ******[email protected]
[-] Service : com.apple.account.Google.oauth-token
[-] Password: ya29.GmDsBltJT656nE1tpaFzIV0BWmyxdzdjX5jB232fdea461HkZKuxW29BYuo1V-42WTGRGbXNiCwCDcpCpMSkplU0HRm_gA8Ixj4Lycd2kBBi1SMbLQEEYzH461dGDp0qfwo
[+] Generic Password Record
[-] Create DateTime: 2019-04-15 12:07:15
[-] Last Modified DateTime: 2019-04-15 12:07:15
[-] Description :
[-] Creator :
[-] Type :
[-] PrintName : gmail
[-] Alias :
[-] Account : ******[email protected]
[-] Service : gmail
[-] Password: ih*****ple89
[+] Generic Password Record
[-] Create DateTime: 2019-04-15 11:51:12
[-] Last Modified DateTime: 2019-04-15 13:22:35
[-] Description :
[-] Creator :
[-] Type :
[-] PrintName : com.apple.assistant
[-] Alias :
[-] Account : 48096B92-6345-4A49-B298-DE4BA1D93C1E - Server Certificate Data
[-] Service : com.apple.assistant
0b1] Pas*�H��: 0�0���0
0 UUS10U
Apple Inc.1&0$U
190126190134Z0��1ple Certification Authority10U
0 UUS10U
Apple Inc.1&0$U
Apple Certification Authority1907U
�0� *�H�� 0Apple System Integration Certification Authority0�"0
������X)�*
��Z1�-j,R���Ai�P&6z�
o9��▒V�<��6A���g`2
N2}����S�▒��l�E��8��|�N±V�>�mmA▒��G��|-x���e�z�ݘKw@��P��k�WU}'�
��秓����By?�2�vA)
��-t��I�{��=�Ϣ��#�f��~[�1w� �~~����A�,��y��xD�;K���Ⰲ�2���>u7�u��1m� ��'���0��0U��0U�0�0U�0sc����� 2��yz�iPh0U#▒0�+�iG�v ��k�.@��G^06U/0-0+�)�'�%http://www.apple.com/appleca/root.crl0
�={��cd0*�H��
"��K���+�h�
��$�-Ӳ��C��<�&ȭ�,�LUSI������rј����N���e�D��'*N����}�Aq����
3��+�sr���]�/4�k�OȊ��o%n������ N]VLI��$t~ɓ�4��ѧ���®i럟W�h����"�dAX�x����6jkD���rzd@1���u��3Q��jX?���\
0��1��UA*�H���P����r�R�.����&�ޔ�ټ=6�U�8�10�-0�K,�H�}�0
0 UUS10U
Apple Inc.1&0$U
Apple Certification Authority1907U
140324011332Z0i10 0Apple System Integration Certification Authority0
DRM Technologies A011&0$U
Apple Certification Authority10U
Apple Inc.1
�0� *�H�� UUS0�"0
ȸ�[�m�B�@�$��".��q� kIA��`zƢ�Mz/��c��
��&��>0�]�8��HJIw�.����)}A�y����
؝i眲�F�K� ▒P$�YG+"UG�Q"�B�����G��o
te����_K����m>@U����2��Q�ɹ�^�_�k�|:��h���4Ut��K��u���C��D#R?��!��?�
"&;՞I���0��0U�$#��莏q���bs=�^$ /0
U�00U#▒0��0sc����� 2��yz�iPh0�U �0�0�� *�H��cd0��0+http://www.apple.com/appleca0�+0��
��Reliance on this certificate by any party assumes acceptance of the then applicable standard terms and conditions of use, certificate policy and certification practice statements.0/U(0&0$�"� �http://crl.apple.com/asica.crl0U��0
*�H��cd
�}y�cnA;��α��m0 ��I0�=Uι�-Kb��@�����Ҧ��kO�F �³�,wO�DL��a-��C.7:7�����I��w�S����s�G� V6�٥�
<"y���O }^��"���#% �y�4V��E�"�U��/�!����s v������B�_d���h? XBԟvm�����t�Z��Ǧ�V�7��r���D�F��$�'y�t�Ų���&����
٣��D���K2�R��*Z#4�����y
�
[!] Certification Table is not available
[+] Public Key Record
[+] Public Key Record
[+] Public Key Record
[+] Private Key Record, dumped to disk
[+] Private Key Record, dumped to disk
[+] Private Key Record, dumped to disk